TKIP implemented on a Cisco 1200 AP
Last Post: August 25, 2007:
-
I've searched the forum on this but didn't find the answer.
Does checking these boxes "fully enable" TKIP?
1) Enable Message Integrity Check (MIC)
2) Enable Per Packet Keying (PPK)
I have WEP Encryption ticked so I am not using the Cipher option, which offers many more choices.
I have been asked to make the current configuration (static WEP) as secure as possible.
We do NOT use Cisco cards on all the clients.
I've read the TKIP chapter in the excellent "Real 802.11 Security" book and I understand it pretty well (I think!). I believe the confusion is in the infamous vendor description. The cisco help file for this page is not much help either.
Here's a link to the help page I mentioned
Cisco Help page
Thank you for all the help!
Brad -CWNA-MCSA -
The model is AIR-AP1231G-A-K9
I think I know the answer: "Full TKIP" is only enabled when checking the cipher option and choosing, as you said, one of the TKIP + WEP options.
Simply checking WEP and enabling the TKIP compliant features is not enough to enable TKIP.
Someone post a reply if you have more to add.
Thanks GT! -
I believe that your premise is wrong and that is why you are having trouble.
Static WEP is static WEP. You cannot add anymore security to it in its basic form. You would want to use WPA TKIP in order to do both the things you are looking to do. In that case you need a WPA-PSK, not a WEP key.
From my experience with Cisco equipment, enableing TKIP and WEP allows you to use either WPA or WEP on the client connecting to the same AP. -
Maybe I misunderstood the TKIP chapter (p. 231) of Real 802.11 Security. It states that TKIP exists "to allow WEP systems to be upgraded to be secure". I took that to mean that TKIP can be used as a security wrapper for WEP. In reality (what you are saying is) it is not WEP at all. ??
For now I have enabled the feaure highlighted in this picture and I'm testing compatibility.
Screen shot of Cisco UI
I appreciate the replies on what is a very deep subject! (CWSP) -
You have to use slot 3 for the static WEP key for WPA TKIP and WEP to interoperate. Look on CCO for "Configuring Cipher Suites and WEP," and "WPA Migration Mode." The TKIP + WEP option should then work.
-
What the book is saying is that existing WEP implementations can be driver/firmware upgraded to use a TKIP implementation to become more secure. This means you don't have to go out and purchse different hardware like most WPA2 implementations which doesn't use WEP.
Put in very simple terms, WPA uses TKIP as an interum measure while everyone waited for 802.11i to be approved.
You are going to want to use at least WPA to really secure your network. The following videos should prove informative. I stumbled across them today. This is the first time I have seen a windows box crack WEP, but Linux boxes have had the ability for a long time. Takes next to nothing to acomplish and quickly too.
http://irongeek.com/i.php?page=videos/airpcap-wireshark-cain-wep-cracking
Also keep your WPA-PSK out of the dictionary.
http://www.irongeek.com/i.php?page=videos/airpcap-cain-wpa-cracking -
:D Hmmm, correct me if I'm wrong, but I think everyone may be misunderstanding the OP's question.
There are separate checkboxes for mic + ppk in the 1200 UI. I believe what these checkboxes are about are Cisco-proprietary pre-standard options that correspond to what is in TKIP itself. I spent most of the summer working through the old Cisco wireless lab manual, using the 1230 and the 1300, and after puzzling over the many confusing options, that's the understanding I came away with.
Now, here is the help page for the 1200 encryption settings, so you can check for yourself :
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/123-08.JA/1100/h_ap_sec_ap-key-security.htm
If I read this correctly, the 'cisco compliant TKIP features' are cisco-proprietary early versions, pre-standard-TKIP.
Please correct me if I'm wrong! I'd like to be certain also.
- 1